技术领域Technical Field
本发明涉及即时通信技术领域,特别涉及一种支持跨域的文件加密传输方法、装置、设备及介质。The present invention relates to the field of instant messaging technology, and in particular to a method, device, equipment and medium supporting cross-domain file encryption transmission.
背景技术Background Art
随着移动通信技术的发展,企业之间的互联互通需求日益增加。对于不同域的用户之间如何高效的安全传输与分享文件,尤其对于大文件的安全流转是一个急需解决的问题。现有即时通信系统的文件传输方法,一般采用数字信封方式对文件进行加密传输,该方案对于大群组处理复杂,发送端需要维护大量的用户公钥信息,生成多个文件密文,并分发至相应的用户;另一现有密钥和文件密文分离方案,仍然需要同时生成多个密钥密文,服务端根据接收者信息将对应的密钥密文分发至指定用户接收端,这样一来服务端处理逻辑较复杂,且未涉及跨域传输场景。随着移动办公各场景下组织的通信和协同的场景增多,各组织间的通信交互更加密切,越来越多的系统需要考虑跨域跨组织的数据流转问题,以促进高效安全的数据交换和分析。With the development of mobile communication technology, the demand for interconnection between enterprises is increasing. How to efficiently and securely transmit and share files between users in different domains, especially for the secure flow of large files, is an urgent problem to be solved. The file transmission method of the existing instant messaging system generally uses a digital envelope to encrypt and transmit files. This solution is complex for large groups. The sender needs to maintain a large amount of user public key information, generate multiple file ciphertexts, and distribute them to the corresponding users; another existing key and file ciphertext separation solution still needs to generate multiple key ciphertexts at the same time. The server distributes the corresponding key ciphertext to the designated user receiving end according to the receiver information. In this way, the server processing logic is more complicated and does not involve cross-domain transmission scenarios. With the increase in the communication and collaboration scenarios of organizations in various mobile office scenarios, the communication interactions between organizations are closer. More and more systems need to consider the problem of cross-domain and cross-organizational data flow to promote efficient and secure data exchange and analysis.
发明内容Summary of the invention
有鉴于此,本发明的目的在于提供一种支持跨域的文件加密传输方法、装置、设备及介质,能够实现文件加密一次,全网上传一次,降低成本,同时降低群文件跨域传输时处理的复杂度。其具体方案如下:In view of this, the purpose of the present invention is to provide a method, device, equipment and medium that supports cross-domain file encryption transmission, which can realize file encryption once and upload to the entire network once, reduce costs, and reduce the complexity of processing when group files are transmitted across domains. The specific scheme is as follows:
第一方面,本申请公开了一种支持跨域的文件加密传输方法,包括:In a first aspect, the present application discloses a method for supporting cross-domain file encryption transmission, comprising:
在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组,若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端;所述用户终端包括用户发送端以及用户接收端;After the domain server and the user are successfully registered, it is determined whether there is a created user group in the central server. If not, the user group is created and a group key is generated, and the group key is sent to the user terminal based on the user group. The user terminal includes a user sending end and a user receiving end.
通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包;其中,所述目标信息包包括所述待传输文件对应的文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息其中一种或几种的组合;The user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain a target information packet; wherein the target information packet includes one or a combination of the file ID corresponding to the file to be transmitted, the file key derived parameter ciphertext and the attribute information of the file to be transmitted;
通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件。The target information packet is distributed to each of the user receiving terminals through the domain server and the central server, so that the user receiving terminal decrypts the target information packet according to the group key to obtain a decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID.
可选的,所述在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组之前,还包括:Optionally, after the domain server and the user are successfully registered, before determining whether there is a created user group in the central server, the method further includes:
将所述域服务器注册至所述中心服务器,利用域服务器保护密钥对所述中心服务器产生的第一保护密钥进行加密,并将加密后的第一保护密钥发送至各所述域服务器;Registering the domain server to the central server, encrypting the first protection key generated by the central server using the domain server protection key, and sending the encrypted first protection key to each of the domain servers;
将所述用户注册至所述用户归属的域服务器,利用用户保护密钥对所述域服务器产生的第二保护密钥进行加密,并将加密后的第二保护密钥发送至各所述用户终端。The user is registered to the domain server to which the user belongs, a second protection key generated by the domain server is encrypted using a user protection key, and the encrypted second protection key is sent to each of the user terminals.
可选的,所述若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端,包括:Optionally, if the user group does not exist, creating the user group and generating a group key, and sending the group key to the user terminal based on the user group, includes:
若不存在所述用户群组,则通过所述中心服务器创建所述用户群组并产生所述群组密钥;If the user group does not exist, creating the user group and generating the group key through the central server;
基于所述第一保护密钥将所述群组密钥进行加密保护后分发至所述域服务器,以便所述域服务器基于所述第一保护密钥以及所述第二保护密钥对所述群组密钥进行先解密后加密的操作,以得到加密后群组密钥,并基于所述用户群组将所述加密后群组密钥下发至所述用户终端。The group key is encrypted and protected based on the first protection key and then distributed to the domain server, so that the domain server decrypts the group key based on the first protection key and the second protection key and then encrypts it to obtain the encrypted group key, and sends the encrypted group key to the user terminal based on the user group.
可选的,所述通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包,包括:Optionally, the user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain the target information packet, including:
若所述待传输文件是首次传输,则通过密钥衍生算法将随机数以及文件Hash进行衍生,以生成所述待传输文件对应的文件密钥;If the file to be transmitted is transmitted for the first time, the random number and the file Hash are derived by a key derivation algorithm to generate a file key corresponding to the file to be transmitted;
通过所述用户发送端基于所述文件密钥对所述待传输文件进行加密,得到相应的文件密文;The user sending end encrypts the file to be transmitted based on the file key to obtain a corresponding file ciphertext;
通过所述用户发送端将所述文件密文上传至所述域服务器,以便所述域服务器将所述文件密文转发至所述中心服务器,并通过所述中心服务器生成所述待传输文件对应的文件ID,将所述文件ID返回至所述用户发送端;The user sending end uploads the ciphertext of the file to the domain server so that the domain server forwards the ciphertext of the file to the central server, generates a file ID corresponding to the file to be transmitted through the central server, and returns the file ID to the user sending end;
利用所述群组密钥以及所述第二保护密钥分别对所述文件密钥进行加密,得到第一文件密钥衍生参数密文以及第二文件密钥衍生参数密文;Encrypting the file key using the group key and the second protection key to obtain a first file key derived parameter ciphertext and a second file key derived parameter ciphertext;
通过所述用户发送端将所述文件密文、所述第一文件密钥衍生参数密文、所述第二文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息发送至所述域服务器进行存储,并通过所述域服务器基于所述第一保护密钥对所述第二文件密钥衍生参数密文进行转加密,以得到第三文件密钥衍生参数密文;The file ciphertext, the first file key derived parameter ciphertext, the second file key derived parameter ciphertext, the file ID, and the attribute information of the file to be transmitted are sent to the domain server for storage through the user sending end, and the second file key derived parameter ciphertext is trans-encrypted by the domain server based on the first protection key to obtain a third file key derived parameter ciphertext;
通过所述域服务器将所述第一文件密钥衍生参数密文、所述第三文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息发送至所述中心服务器,以便所述中心服务器保存所述第三文件密钥衍生参数密文以及所述文件ID,并将所述第一文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息分发至各所述域服务器,以得到包含所述第一文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。The first file key derivative parameter ciphertext, the third file key derivative parameter ciphertext, the file ID and the attribute information of the file to be transmitted are sent to the central server through the domain server, so that the central server can save the third file key derivative parameter ciphertext and the file ID, and distribute the first file key derivative parameter ciphertext, the file ID and the attribute information of the file to be transmitted to each of the domain servers to obtain a target information packet containing the first file key derivative parameter ciphertext, the file ID and the attribute information of the file to be transmitted.
可选的,所述通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包,包括:Optionally, the user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain the target information packet, including:
若所述待传输文件不是首次传输,且用户本地存在所述待传输文件对应的文件密钥,则直接从本地获取所述待传输文件对应的所述文件ID、初始文件密钥衍生参数密文以及所述待传输文件的属性信息;If the file to be transferred is not transferred for the first time, and the user has a file key corresponding to the file to be transferred locally, the file ID, the initial file key derived parameter ciphertext and the attribute information of the file to be transferred corresponding to the file to be transferred are directly obtained locally;
通过新的群组密钥对所述初始文件密钥衍生参数密文对应的文件密钥衍生参数进行转加密保护以确定新的文件密钥衍生参数密文,以得到包含新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。The file key derivative parameters corresponding to the initial file key derivative parameter ciphertext are transcoded and protected by a new group key to determine a new file key derivative parameter ciphertext, so as to obtain a target information packet including the new file key derivative parameter ciphertext, the file ID and the attribute information of the file to be transmitted.
可选的,所述通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包,包括:Optionally, the user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain the target information packet, including:
若所述待传输文件不是首次传输,且用户本地不存在所述待传输文件对应的文件密钥,所述域服务器存在所述文件密钥,则通过所述域服务器基于所述文件信息获取请求将通过所述第二保护密钥加密后的所述文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息发送至所述用户终端;If the file to be transferred is not transferred for the first time, and the user does not have a file key corresponding to the file to be transferred locally, but the domain server has the file key, the domain server sends the file ID encrypted by the second protection key, the file key derived parameter ciphertext, and the attribute information of the file to be transferred to the user terminal based on the file information acquisition request;
若所述待传输文件不是首次传输,且用户本地不存在所述待传输文件对应的文件密钥,所述域服务器不存在所述文件密钥,则通过所述域服务器将所述文件信息获取请求转发至所述中心服务器,以便所述中心服务器基于所述第一保护密钥对所述文件ID、初始文件密钥衍生参数密文以及所述待传输文件的属性信息进行转加密保护,以生成第四文件密钥衍生参数密文,并将所述第一保护密钥对所述文件ID、所述初始文件密钥衍生参数密文、所述待传输文件的属性信息以及所述第四文件密钥衍生参数密文分发至所述域服务器;If the file to be transferred is not transferred for the first time, and the user does not have the file key corresponding to the file to be transferred locally, and the domain server does not have the file key, the file information acquisition request is forwarded to the central server through the domain server, so that the central server performs trans-encryption protection on the file ID, the initial file key derived parameter ciphertext, and the attribute information of the file to be transferred based on the first protection key to generate a fourth file key derived parameter ciphertext, and distributes the first protection key to the file ID, the initial file key derived parameter ciphertext, the attribute information of the file to be transferred, and the fourth file key derived parameter ciphertext to the domain server;
通过所述域服务器基于所述第二保护密钥对转加密保护后的第四文件密钥衍生参数密文发送至所述用户终端;The encrypted fourth file key derived parameter ciphertext is sent to the user terminal by the domain server based on the second protection key;
通过所述用户终端在收到服务器的响应信息后基于所述数据保护密钥DPK对所述文件密钥衍生参数密文进行转加密保护,以得到本地密钥密文,并将所述本地密钥密文、所述文件ID以及所述待传输文件的属性信息进行本地存储;After receiving the response information from the server, the user terminal performs trans-encryption protection on the file key derived parameter ciphertext based on the data protection key DPK to obtain a local key ciphertext, and locally stores the local key ciphertext, the file ID, and the attribute information of the file to be transmitted;
通过所述用户终端在收到服务器的响应信息后基于所述群组密钥对所述文件密钥衍生参数密文进行转加密保护,以得到新的文件密钥衍生参数密文,基于新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息确定目标信息包。After receiving the response information from the server, the user terminal performs trans-encryption protection on the file key derived parameter ciphertext based on the group key to obtain a new file key derived parameter ciphertext, and determines the target information package based on the new file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted.
可选的,所述判断中心服务器中是否存在已创建的用户群组之后,还包括:Optionally, after determining whether a created user group exists in the central server, the method further includes:
若存在所述用户群组,则直接将所述群组密钥下发至所述用户终端。If the user group exists, the group key is directly sent to the user terminal.
可选的,所述通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,包括:Optionally, distributing the target information packet to each of the user receiving terminals through the domain server and the central server includes:
通过所述域服务器将所述目标文件信息转发至所述中心服务器,以便所述中心服务器将所述目标文件信息分发至各所述域服务器,并通过各所述域服务器将所述目标文件信息分发至各所述用户接收端。The target file information is forwarded to the central server through the domain server, so that the central server distributes the target file information to each of the domain servers, and distributes the target file information to each of the user receiving terminals through each of the domain servers.
可选的,所述通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件,包括:Optionally, distributing the target information packet to each of the user receiving terminals through the domain server and the central server so that the user receiving terminal decrypts the target information packet according to the group key to obtain a decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID, including:
通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID;Distributing the target information packet to each of the user receiving terminals through the domain server and the central server, so that the user receiving terminal decrypts the target information packet according to the group key to obtain a decrypted file ID;
基于所述文件ID从所述域服务器或所述中心服务器中拉取所述待传输文件对应的文件密文,并根据所述解密后文件ID对所述文件密文进行解密,以得到所述待传输文件并确定所述待传输文件是否被篡改。Pull the file ciphertext corresponding to the file to be transmitted from the domain server or the central server based on the file ID, and decrypt the file ciphertext according to the decrypted file ID to obtain the file to be transmitted and determine whether the file to be transmitted has been tampered with.
第二方面,本申请公开了一种支持跨域的文件加密传输装置,包括:In a second aspect, the present application discloses a device supporting cross-domain file encryption transmission, comprising:
群组判断模块,用于在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组,若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端;所述用户终端包括用户发送端以及用户接收端;A group determination module is used to determine whether there is a created user group in the central server after the domain server and the user have successfully registered. If not, the user group is created and a group key is generated, and the group key is sent to the user terminal based on the user group. The user terminal includes a user sending end and a user receiving end.
传输文件判断模块,用于通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包;其中,所述目标信息包包括所述待传输文件对应的文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息其中一种或几种的组合;A transmission file judgment module, used to judge whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted by the user sending end, and encrypt and process the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain a target information packet; wherein the target information packet includes one or a combination of the file ID corresponding to the file to be transmitted, the file key derived parameter ciphertext and the attribute information of the file to be transmitted;
传输文件获取模块,用于通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件。The transmission file acquisition module is used to distribute the target information package to each of the user receiving terminals through the domain server and the central server, so that the user receiving terminal decrypts the target information package according to the group key to obtain a decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID.
第三方面,本申请公开了一种电子设备,包括:In a third aspect, the present application discloses an electronic device, including:
存储器,用于保存计算机程序;Memory, used to store computer programs;
处理器,用于执行所述计算机程序以实现前述的支持跨域的文件加密传输方法。The processor is used to execute the computer program to implement the aforementioned method for supporting cross-domain file encryption transmission.
第四方面,本申请公开了一种计算机可读存储介质,用于保存计算机程序,所述计算机程序被处理器执行时实现前述的支持跨域的文件加密传输方法。In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program, which, when executed by a processor, implements the aforementioned method for supporting cross-domain file encryption transmission.
本申请在对跨域文件进行加密传输时,首先在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组,若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端;所述用户终端包括用户发送端以及用户接收端;然后通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包;其中,所述目标信息包包括所述待传输文件对应的文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息其中一种或几种的组合;最后通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件。这样一来,本申请通过文件Hash以及随机数对文件进行加密,生成了一种新的会话密钥,无需额外使用HMAC或MAC方式进行完整性保护。同时,本申请中同一文件只需在跨域全网上传一次,客户端无需重复下载文件,进而降低了成本,提高了传输效率。对于群组通信密钥保护机制处理复杂度更低,对于大群组而言,优势更加显著,服务器上文件利用率高。When encrypting and transmitting cross-domain files, the present application first determines whether there is a created user group in the central server after the domain server and the user have successfully registered respectively. If not, the user group is created and a group key is generated, and the group key is sent to the user terminal based on the user group; the user terminal includes a user sending end and a user receiving end; then the user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain a target information packet; wherein the target information packet includes one or a combination of the file ID corresponding to the file to be transmitted, the file key derived parameter ciphertext and the attribute information of the file to be transmitted; finally, the target information packet is distributed to each of the user receiving ends through the domain server and the central server, so that the user receiving end decrypts the target information packet according to the group key to obtain the decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID. In this way, this application encrypts the file through the file Hash and random number to generate a new session key, without the need to use HMAC or MAC for integrity protection. At the same time, in this application, the same file only needs to be uploaded once across the entire network, and the client does not need to download the file repeatedly, thereby reducing costs and improving transmission efficiency. The key protection mechanism for group communication has lower processing complexity, and for large groups, the advantages are more significant, and the file utilization rate on the server is high.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on the provided drawings without paying creative work.
图1为本申请公开的一种支持跨域的文件加密传输方法流程图;FIG1 is a flow chart of a method for supporting cross-domain file encryption transmission disclosed in the present application;
图2为本申请公开的一种注册流程示意图;FIG2 is a schematic diagram of a registration process disclosed in this application;
图3为本申请公开的一种创建群组示意图;FIG3 is a schematic diagram of creating a group disclosed in the present application;
图4为本申请公开的一种跨域文件发送流程示意图;FIG4 is a schematic diagram of a cross-domain file sending process disclosed in the present application;
图5为本申请公开的另一种跨域文件发送流程示意图;FIG5 is a schematic diagram of another cross-domain file sending process disclosed in the present application;
图6为本申请公开的一种支持跨域的文件加密传输装置结构示意图;FIG6 is a schematic diagram of the structure of a device supporting cross-domain file encryption transmission disclosed in the present application;
图7为本申请公开的一种电子设备结构图。FIG. 7 is a structural diagram of an electronic device disclosed in the present application.
具体实施方式DETAILED DESCRIPTION
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.
现有即时通信系统的文件传输方法,一般采用数字信封方式对文件进行加密传输,该方案对于大群组处理复杂,发送端需要维护大量的用户公钥信息,生成多个文件密文,并分发至相应的用户;另一现有密钥和文件密文分离方案,仍然需要同时生成多个密钥密文,服务端根据接收者信息将对应的密钥密文分发至指定用户接收端,这样一来服务端处理逻辑较复杂,且未涉及跨域传输场景。为了解决上述技术问题,本申请公开了一种支持跨域的文件加密传输方法,能够实现文件加密一次,全网上传一次,降低成本,同时降低群文件跨域传输时处理的复杂度。The existing file transmission method of instant messaging system generally adopts digital envelope to encrypt and transmit files. This solution is complicated to handle for large groups. The sender needs to maintain a large amount of user public key information, generate multiple file ciphertexts, and distribute them to the corresponding users. Another existing key and file ciphertext separation solution still needs to generate multiple key ciphertexts at the same time. The server distributes the corresponding key ciphertext to the designated user receiving end according to the receiver information. In this way, the server processing logic is more complicated and does not involve cross-domain transmission scenarios. In order to solve the above technical problems, the present application discloses a file encryption transmission method that supports cross-domain, which can realize file encryption once and upload once to the whole network, reduce costs, and reduce the complexity of processing when group files are transmitted across domains.
参见图1所示,本发明实施例公开了一种支持跨域的文件加密传输方法,包括:As shown in FIG1 , an embodiment of the present invention discloses a method for supporting cross-domain file encryption transmission, including:
步骤S11、在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组,若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端;所述用户终端包括用户发送端以及用户接收端。Step S11: After the domain server and the user are successfully registered, determine whether there is a created user group in the central server. If not, create the user group and generate a group key, and send the group key to the user terminal based on the user group; the user terminal includes a user sending end and a user receiving end.
本实施例中,在对文件进行传输之前,如图2所示,首先需要将所述域服务器注册至所述中心服务器,利用域服务器保护密钥对所述中心服务器产生的第一保护密钥进行加密,并将加密后的第一保护密钥发送至各所述域服务器;将所述用户注册至所述用户归属的域服务器,利用用户保护密钥对所述域服务器产生的第二保护密钥进行加密,并将加密后的第二保护密钥发送至各所述用户终端。具体来说,域服务器注册至中心服务器,中心服务器产生密钥分发保护密钥KDK_S,并使用域服务器保护密钥EPKdomain加密保护分发至各域服务器。用户注册至归属域服务器,域服务器产生密钥分发保护密钥KDK_C,并使用用户保护密钥EPKusr保护分发至各用户终端。注册完成之后,才能进行下一步文件的传输。但是用户在发送跨域文件时,需要在中心服务器创建群组,如图3所示,若群存在,则直接将群保护密钥GK下发至客户端,若群不存在,则需要产生并下发至客户端。因此需要先判断中心服务器中是否存在已创建的用户群组,若不存在所述用户群组,则通过所述中心服务器创建所述用户群组并产生所述群组密钥;基于所述第一保护密钥将所述群组密钥进行加密保护后分发至所述域服务器,以便所述域服务器基于所述第一保护密钥以及所述第二保护密钥对所述群组密钥进行先解密后加密的操作,以得到加密后群组密钥,并基于所述用户群组将所述加密后群组密钥下发至所述用户终端。详细来说,就是中心服务器创建群组并产生群组密钥,并将群保护密钥加密保护分发至域服务器,域服务器通过Enc(KDK_C, Dec(KDK_S,Enc(KDK_S,GK) ) )(需要理解的是,这是一个先解密再加密的过程,加密之后进行转加密保护)转加密保护分发至用户终端。至此,用户开始发送文件,根据本地或服务器上是否存在文件密钥相关信息进行分别处理。In this embodiment, before the file is transmitted, as shown in FIG2, the domain server needs to be registered with the central server first, the first protection key generated by the central server is encrypted using the domain server protection key, and the encrypted first protection key is sent to each domain server; the user is registered with the domain server to which the user belongs, the second protection key generated by the domain server is encrypted using the user protection key, and the encrypted second protection key is sent to each user terminal. Specifically, the domain server is registered with the central server, the central server generates a key distribution protection key KDK_S, and uses the domain server protection key EPKdomain to encrypt and protect the distribution to each domain server. The user registers with the belonging domain server, the domain server generates a key distribution protection key KDK_C, and uses the user protection key EPKusr to protect and distribute it to each user terminal. After the registration is completed, the next step of file transmission can be carried out. However, when the user sends a cross-domain file, it is necessary to create a group on the central server, as shown in FIG3. If the group exists, the group protection key GK is directly sent to the client. If the group does not exist, it needs to be generated and sent to the client. Therefore, it is necessary to first determine whether there is a user group that has been created in the central server. If the user group does not exist, the user group is created through the central server and the group key is generated; the group key is encrypted and protected based on the first protection key and then distributed to the domain server, so that the domain server first decrypts and then encrypts the group key based on the first protection key and the second protection key to obtain the encrypted group key, and sends the encrypted group key to the user terminal based on the user group. In detail, the central server creates a group and generates a group key, and encrypts and protects the group protection key and distributes it to the domain server. The domain server distributes it to the user terminal through Enc(KDK_C, Dec(KDK_S, Enc(KDK_S, GK) ) ) (it should be understood that this is a process of decryption first and then encryption, and encryption is performed after encryption). Encryption protection. At this point, the user starts to send files, and they are processed separately according to whether the file key related information exists locally or on the server.
步骤S12、通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包;其中,所述目标信息包包括所述待传输文件对应的文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息其中一种或几种的组合。Step S12: The user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain a target information packet; wherein the target information packet includes one or a combination of the file ID corresponding to the file to be transmitted, the file key derived parameter ciphertext and the attribute information of the file to be transmitted.
本实施例中,跨域文件在进行发送时,用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,若是首次传输,则本地以及服务器中都不存在文件密钥信息,此时,则通过密钥衍生算法将随机数以及文件Hash进行衍生,以生成所述待传输文件对应的文件密钥;密钥衍生算法包括但不局限于KDF(Key derivation function,密钥导出函数)、PBKDF(Password-Based Key Derivation Function,一种密码衍生工具)、HKDF(HMAC-based Extract-and-Expand Key Derivation Function,一种基于哈希函数的密钥派生函数)等算法。通过所述用户发送端基于所述文件密钥对所述待传输文件进行加密,得到相应的文件密文;通过所述用户发送端将所述文件密文上传至所述域服务器,以便所述域服务器将所述文件密文转发至所述中心服务器,并通过所述中心服务器生成所述待传输文件对应的文件ID(Identity document),将所述文件ID返回至所述用户发送端;利用所述群组密钥以及所述第二保护密钥分别对所述文件密钥进行加密,得到第一文件密钥衍生参数密文以及第二文件密钥衍生参数密文;在这里具体来说,使用群组密钥GK和域服务器保护密钥EPKdomain对文件密钥进行保护 ,得到密钥衍生参数密文1和密文2,其中密文1为Enc(GK, 密钥衍生材料),密文2为Enc(EPKdomain, 密钥衍生材料),这里的密钥衍生材料为随机数和文件Hash。之后,用户终端使用DPK(对文件加密的密钥,最末端密码)加密保护密钥衍生参数得到本地密钥密文,并将文件相关信息存储至本地。通过所述用户发送端将所述文件密文、所述第一文件密钥衍生参数密文、所述第二文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息发送至所述域服务器进行存储,并通过所述域服务器基于所述第一保护密钥对所述第二文件密钥衍生参数密文进行转加密,以得到第三文件密钥衍生参数密文;通过所述域服务器将所述第一文件密钥衍生参数密文、所述第三文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息发送至所述中心服务器,以便所述中心服务器保存所述第三文件密钥衍生参数密文以及所述文件ID,并将所述第一文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息分发至各所述域服务器,以得到包含所述第一文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。这里需要详细说明的是,域服务器存储该文件相关信息,并对密文2使用中心服务器保护密钥EPKcenter转加密生成密文3。同时将密文1、密文3、文件ID及其他属性信息发送至中心服务器。最终中心服务器保存密文3和文件ID,同时将密文1、文件ID及其他文件属性信息分发至各域服务器,再由域服务器分发至各用户接收端。In this embodiment, when a cross-domain file is sent, the user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted. If it is the first transmission, the file key information does not exist locally or in the server. At this time, the random number and the file Hash are derived through a key derivation algorithm to generate a file key corresponding to the file to be transmitted; the key derivation algorithm includes but is not limited to KDF (Key derivation function), PBKDF (Password-Based Key Derivation Function, a password derivative tool), HKDF (HMAC-based Extract-and-Expand Key Derivation Function, a key derivation function based on a hash function) and other algorithms. The user sending end encrypts the file to be transmitted based on the file key to obtain the corresponding file ciphertext; the user sending end uploads the file ciphertext to the domain server so that the domain server forwards the file ciphertext to the central server, and generates a file ID (Identity document) corresponding to the file to be transmitted through the central server, and returns the file ID to the user sending end; the file key is encrypted using the group key and the second protection key to obtain the first file key derivative parameter ciphertext and the second file key derivative parameter ciphertext; specifically, the group key GK and the domain server protection key EPKdomain are used to protect the file key to obtain key derivative parameter ciphertext 1 and ciphertext 2, where ciphertext 1 is Enc (GK, key derivative material), ciphertext 2 is Enc (EPKdomain , key derivative material), and the key derivative material here is a random number and file Hash. Afterwards, the user terminal uses DPK (key for file encryption, the last password) to encrypt the key derivative parameter to obtain the local key ciphertext, and stores the file related information locally. The file ciphertext, the first file key derived parameter ciphertext, the second file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted are sent to the domain server for storage through the user sending end, and the second file key derived parameter ciphertext is trans-encrypted by the domain server based on the first protection key to obtain the third file key derived parameter ciphertext; the first file key derived parameter ciphertext, the third file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted are sent to the central server through the domain server, so that the central server saves the third file key derived parameter ciphertext and the file ID, and distributes the first file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted to each of the domain servers to obtain a target information packet containing the first file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted. It should be explained in detail that the domain server stores the relevant information of the file, and trans-encrypts the ciphertext 2 using the central server protection key EPKcenter to generate the ciphertext 3. At the same time, the ciphertext 1, the ciphertext 3, the file ID and other attribute information are sent to the central server. Finally, the central server saves the ciphertext 3 and the file ID, and distributes the ciphertext 1, the file ID and other file attribute information to each domain server, which then distributes it to each user receiving end.
若所述待传输文件不是首次传输,则需要再次判断用户本地以及服务器中是否存在文件密钥信息,根据判断的结果来将从本地获取的密钥衍生参数密文信息、文件ID及其他属性信息进行相应的处理,最终用户将密文1、文件ID等信息发送至域服务器。If the file to be transferred is not the first transmission, it is necessary to determine again whether the file key information exists in the user's local area and the server. According to the result of the determination, the key-derived parameter ciphertext information, file ID and other attribute information obtained locally will be processed accordingly. Finally, the user sends the ciphertext 1, file ID and other information to the domain server.
步骤S13、通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件。Step S13: distribute the target information packet to each of the user receiving terminals through the domain server and the central server, so that the user receiving terminal decrypts the target information packet according to the group key to obtain a decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID.
本实施例中,通过所述域服务器将所述目标文件信息转发至所述中心服务器,以便所述中心服务器将所述目标文件信息分发至各所述域服务器,并通过各所述域服务器将所述目标文件信息分发至各所述用户接收端。之后,通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID;基于所述文件ID从所述域服务器或所述中心服务器中拉取所述待传输文件对应的文件密文,并根据所述解密后文件ID对所述文件密文进行解密,以得到所述待传输文件并确定所述待传输文件是否被篡改。详细来说就是,在接收跨域文件时,通过群组保护密钥GK解密获取文件密钥衍生参数,文件ID、及其他相关信息。查找本地是否存在该文件,若存在则无需重复下载,否则根据文件ID拉取对应文件密文,按需从域服务器或者中心服务器拉取。最终解密文件密文,判断文件是否被篡改。In this embodiment, the target file information is forwarded to the central server through the domain server, so that the central server distributes the target file information to each domain server, and the target file information is distributed to each user receiving terminal through each domain server. Afterwards, the target information package is distributed to each user receiving terminal through the domain server and the central server, so that the user receiving terminal decrypts the target information package according to the group key to obtain the decrypted file ID; based on the file ID, the file ciphertext corresponding to the file to be transmitted is pulled from the domain server or the central server, and the file ciphertext is decrypted according to the decrypted file ID to obtain the file to be transmitted and determine whether the file to be transmitted has been tampered with. In detail, when receiving a cross-domain file, the file key derivative parameter, file ID, and other related information are obtained by decryption through the group protection key GK. Find whether the file exists locally. If it exists, there is no need to download it repeatedly. Otherwise, the corresponding file ciphertext is pulled according to the file ID, and it is pulled from the domain server or the central server as needed. Finally, the file ciphertext is decrypted to determine whether the file has been tampered with.
综上所述,本申请在对跨域文件进行加密传输时,首先在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组,若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端;所述用户终端包括用户发送端以及用户接收端;然后通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包;其中,所述目标信息包包括所述待传输文件对应的文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息其中一种或几种的组合;最后通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件。这样一来,本申请通过文件Hash以及随机数对文件进行加密,生成了一种新的会话密钥,无需额外使用HMAC(Hash-based MessageAuthentication Code,密钥相关的哈希运算消息认证码)或MAC(Media Access Control,介质访问控制)方式进行完整性保护。同时,本申请中同一文件只需在跨域全网上传一次,客户端无需重复下载文件,进而降低了成本,提高了传输效率。对于群组通信密钥保护机制处理复杂度更低,对于大群组而言,优势更加显著,服务器上文件利用率高。In summary, when encrypting and transmitting cross-domain files, the present application first determines whether there is a created user group in the central server after the domain server and the user are successfully registered. If not, the user group is created and a group key is generated, and the group key is sent to the user terminal based on the user group; the user terminal includes a user sending end and a user receiving end; then the user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain a target information packet; wherein the target information packet includes one or a combination of the file ID corresponding to the file to be transmitted, the file key derived parameter ciphertext and the attribute information of the file to be transmitted; finally, the target information packet is distributed to each of the user receiving ends through the domain server and the central server, so that the user receiving end decrypts the target information packet according to the group key to obtain the decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID. In this way, this application encrypts the file through the file Hash and random numbers to generate a new session key, without the need to use HMAC (Hash-based Message Authentication Code) or MAC (Media Access Control) for integrity protection. At the same time, in this application, the same file only needs to be uploaded once across the entire network, and the client does not need to download the file repeatedly, thereby reducing costs and improving transmission efficiency. The key protection mechanism for group communication has lower processing complexity, and for large groups, the advantages are more significant, and the file utilization rate on the server is high.
基于上一实施例可知,本申请在确定待传输文件不是首次传输时,需要再次判断用户本地以及服务器中是否存在文件密钥信息。接下来将对不同判断结果下的相应处理过程进行具体描述。Based on the above embodiment, it can be known that when the present application determines that the file to be transmitted is not transmitted for the first time, it is necessary to determine again whether the file key information exists in the user's local computer and the server. Next, the corresponding processing procedures under different determination results will be described in detail.
参见图4所示,本申请公开了一种跨域文件发送流程,包括:As shown in FIG4 , the present application discloses a cross-domain file sending process, including:
步骤S21、若待传输文件不是首次传输,且用户本地存在所述待传输文件对应的文件密钥,则直接从本地获取所述待传输文件对应的文件ID、初始文件密钥衍生参数密文以及所述待传输文件的属性信息。Step S21: If the file to be transmitted is not transmitted for the first time and the user has a file key corresponding to the file to be transmitted locally, directly obtain the file ID corresponding to the file to be transmitted, the initial file key derived parameter ciphertext and the attribute information of the file to be transmitted from the local computer.
本实施例中,待传输文件不是首次传输,且用户本地存在所述待传输文件对应的文件密钥,此时,请求获取文件密钥相关信息,之后便根据请求从本地获取密钥衍生参数密文信息、文件ID及其他属性信息。In this embodiment, the file to be transferred is not transferred for the first time, and the user has a file key corresponding to the file to be transferred locally. At this time, a request is made to obtain information related to the file key, and then the key derivation parameter ciphertext information, file ID and other attribute information are obtained locally according to the request.
步骤S22、通过新的群组密钥对所述初始文件密钥衍生参数密文对应的文件密钥衍生参数进行转加密保护以确定新的文件密钥衍生参数密文,以得到包含新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。Step S22: The file key derivative parameters corresponding to the initial file key derivative parameter ciphertext are transcoded and protected by a new group key to determine a new file key derivative parameter ciphertext, so as to obtain a target information packet including the new file key derivative parameter ciphertext, the file ID and the attribute information of the file to be transmitted.
本实施例中,通过新的群组密钥转加密保护密钥衍生参数,得到密文1’。由此便获取了包含新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。In this embodiment, the key derivation parameters are encrypted by the new group key to obtain the ciphertext 1'. Thus, a target information packet including the new file key derivation parameter ciphertext, the file ID and the attribute information of the file to be transmitted is obtained.
步骤S23、通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端。Step S23: Distribute the target information packet to each of the user receiving terminals through the domain server and the central server.
接着将用户终端密文1’、ID及其他文件属性信息发送至域服务器,域服务器将收到的信息转发中心服务器,中心服务器分发至各域服务器,再由各域服务器分发至各用户接收端。Then the user terminal ciphertext 1', ID and other file attribute information are sent to the domain server. The domain server forwards the received information to the central server, and the central server distributes it to each domain server, which then distributes it to each user receiving end.
这样一来,同一文件只需在跨域全网上传一次,客户端无需重复下载文件,提高了传输效率,并降低了成本,同时降低群文件跨域传输时处理的复杂度。In this way, the same file only needs to be uploaded once across the entire cross-domain network, and the client does not need to download the file repeatedly, which improves transmission efficiency and reduces costs, while also reducing the complexity of processing group files across domains.
参见图5所示,本申请公开了另一种跨域文件发送流程,包括:As shown in FIG5 , the present application discloses another cross-domain file sending process, including:
步骤S31、若待传输文件不是首次传输,且用户本地不存在所述待传输文件对应的文件密钥,域服务器存在所述文件密钥,则通过所述域服务器基于所述文件信息获取请求将通过第二保护密钥加密后的文件ID、文件密钥衍生参数密文以及待传输文件的属性信息发送至用户终端。Step S31: If the file to be transferred is not transferred for the first time, and the user does not have the file key corresponding to the file to be transferred locally, but the domain server has the file key, the domain server sends the file ID encrypted by the second protection key, the file key derived parameter ciphertext, and the attribute information of the file to be transferred to the user terminal based on the file information acquisition request.
本实施例中,若所述待传输文件不是首次传输,且用户本地不存在所述待传输文件对应的文件密钥,但是所述域服务器存在所述文件密钥,则用户发送请求获取该文件相关的密钥衍生参数、文件ID以及待传输文件的属性信息,域服务器收到该请求,将该文件相关信息通过KDK_C转加密保护分发至客户端。In this embodiment, if the file to be transferred is not transferred for the first time, and the user does not have the file key corresponding to the file to be transferred locally, but the domain server has the file key, the user sends a request to obtain the key derivation parameters, file ID and attribute information of the file to be transferred related to the file. The domain server receives the request and distributes the file related information to the client through KDK_C encryption protection.
步骤S32、若所述待传输文件不是首次传输,且用户本地不存在所述待传输文件对应的文件密钥,所述域服务器不存在所述文件密钥,则通过所述域服务器将所述文件信息获取请求转发至中心服务器,以便所述中心服务器基于第一保护密钥对所述文件ID、初始文件密钥衍生参数密文以及所述待传输文件的属性信息进行转加密保护,以生成第四文件密钥衍生参数密文,并将所述第一保护密钥对所述文件ID、初始文件密钥衍生参数密文、所述待传输文件的属性信息以及所述第四文件密钥衍生参数密文分发至所述域服务器。Step S32: If the file to be transferred is not transferred for the first time, and the user does not have the file key corresponding to the file to be transferred locally, and the domain server does not have the file key, the file information acquisition request is forwarded to the central server through the domain server, so that the central server performs trans-encryption protection on the file ID, the initial file key derived parameter ciphertext, and the attribute information of the file to be transferred based on the first protection key to generate a fourth file key derived parameter ciphertext, and distributes the first protection key to the file ID, the initial file key derived parameter ciphertext, the attribute information of the file to be transferred, and the fourth file key derived parameter ciphertext to the domain server.
本实施例中,若域服务器不存在所述文件密钥,域服务器将该请求转发至中心服务器,中心服务器将该文件相关信息通过KDK_S转加密保护生成密文4,再将所述第一保护密钥对所述文件ID、所述初始文件密钥衍生参数密文、所述待传输文件的属性信息以及所述第四文件密钥衍生参数密文分发至所述域服务器。In this embodiment, if the domain server does not have the file key, the domain server forwards the request to the central server. The central server encrypts the file-related information through KDK_S to generate ciphertext 4, and then distributes the first protection key to the file ID, the initial file key derived parameter ciphertext, the attribute information of the file to be transferred, and the fourth file key derived parameter ciphertext to the domain server.
步骤S33、通过所述域服务器基于所述第二保护密钥对转加密保护后的第四文件密钥衍生参数密文发送至用户终端。Step S33: The domain server transmits the encrypted fourth file key derived parameter ciphertext to the user terminal based on the second protection key.
本实施例中,域服务器KDK_C转加密保护密文4并分发至客户端,同时域服务器存储文件密钥密文和文件ID。In this embodiment, the domain server KDK_C converts the encrypted protection ciphertext 4 and distributes it to the client, and the domain server stores the file key ciphertext and the file ID.
步骤S34、通过所述用户终端在收到服务器的响应信息后基于数据保护密钥DPK对所述文件密钥衍生参数密文进行转加密保护,以得到本地密钥密文,并将所述本地密钥密文、所述文件ID以及所述待传输文件的属性信息进行本地存储;通过所述用户终端在收到服务器的响应信息后基于所述群组密钥对所述文件密钥衍生参数密文进行转加密保护,以得到新的文件密钥衍生参数密文,基于新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息确定目标信息包。Step S34: after receiving the response information from the server, the user terminal trans-encrypts the file key derived parameter ciphertext based on the data protection key DPK to obtain a local key ciphertext, and locally stores the local key ciphertext, the file ID, and the attribute information of the file to be transmitted; after receiving the response information from the server, the user terminal trans-encrypts the file key derived parameter ciphertext based on the group key to obtain a new file key derived parameter ciphertext, and determines the target information package based on the new file key derived parameter ciphertext, the file ID, and the attribute information of the file to be transmitted.
本实施例中,用户收到服务器响应后使用群组密钥基于所述群组密钥对所述文件密钥衍生参数密文进行转加密保护,以得到新的文件密钥衍生参数密文,由此得到了包括新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。而用户收到服务器响应后使用本地数据保护密钥DPK对所述文件密钥衍生参数密文进行转加密保护,以得到本地密钥密文,并将本地密钥密文、所述文件ID以及所述待传输文件的属性信息进行本地存储。这样一来,存储至用户端待下次发送时查询本地是否存在待发送文件的密钥相关信息。总得来说,本地采用DPK对文件密钥进行加密保护并存储在本地;发送给接收端的使用群组密钥进行保护。In this embodiment, after receiving the server response, the user uses the group key to trans-encrypt the file key derived parameter ciphertext based on the group key to obtain a new file key derived parameter ciphertext, thereby obtaining a target information package including the new file key derived parameter ciphertext, the file ID, and the attribute information of the file to be transmitted. After receiving the server response, the user uses the local data protection key DPK to trans-encrypt the file key derived parameter ciphertext to obtain the local key ciphertext, and stores the local key ciphertext, the file ID, and the attribute information of the file to be transmitted locally. In this way, the key-related information of the file to be sent is stored in the local area when the user terminal queries whether there is the key-related information of the file to be sent next time. In general, the file key is encrypted and protected locally using DPK and stored locally; the group key is used to protect it when sent to the receiving end.
步骤S35、通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端。Step S35: Distribute the target information packet to each of the user receiving terminals through the domain server and the central server.
本实施例中用户将密文1、文件ID等信息发送至域服务器,域服务器将收到的信息转中心服务器,中心服务器分发至各域服务器,再由各域服务器分发至各用户接收端。In this embodiment, the user sends ciphertext 1, file ID and other information to the domain server, the domain server transfers the received information to the central server, the central server distributes it to each domain server, and then each domain server distributes it to each user receiving end.
这样一来,同一文件只需在跨域全网上传一次,客户端无需重复下载文件,提高了传输效率,并降低了成本,同时降低群文件跨域传输时处理的复杂度。In this way, the same file only needs to be uploaded once across the entire cross-domain network, and the client does not need to download the file repeatedly, which improves transmission efficiency and reduces costs, while also reducing the complexity of processing group files across domains.
参见图6所示,本发明实施例公开了一种支持跨域的文件加密传输装置,包括:As shown in FIG6 , an embodiment of the present invention discloses a device for supporting cross-domain file encryption transmission, including:
群组判断模块11,用于在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组,若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端;所述用户终端包括用户发送端以及用户接收端;The group determination module 11 is used to determine whether there is a created user group in the central server after the domain server and the user are successfully registered. If not, the user group is created and a group key is generated, and the group key is sent to the user terminal based on the user group. The user terminal includes a user sending end and a user receiving end.
传输文件判断模块12,用于通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包;其中,所述目标信息包包括所述待传输文件对应的文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息其中一种或几种的组合;The transmission file judgment module 12 is used to judge whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted by the user sending end, and encrypt and process the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain a target information packet; wherein the target information packet includes one or a combination of the file ID corresponding to the file to be transmitted, the file key derived parameter ciphertext and the attribute information of the file to be transmitted;
传输文件获取模块13,用于通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件。The transmission file acquisition module 13 is used to distribute the target information package to each of the user receiving terminals through the domain server and the central server, so that the user receiving terminal decrypts the target information package according to the group key to obtain a decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID.
本申请在对跨域文件进行加密传输时,首先在域服务器以及用户分别注册成功后,判断中心服务器中是否存在已创建的用户群组,若不存在,则创建所述用户群组并产生群组密钥,并基于所述用户群组将所述群组密钥下发至用户终端;所述用户终端包括用户发送端以及用户接收端;然后通过所述用户发送端基于待传输文件对应的文件Hash判断所述待传输文件是否为首次传输,根据相应的判断结果、所述文件Hash、随机数以及所述群组密钥对所述待传输文件以及所述待传输文件对应的文件密钥进行相应的加密与处理,以得到目标信息包;其中,所述目标信息包包括所述待传输文件对应的文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息其中一种或几种的组合;最后通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID,并基于所述解密后文件ID获取所述待传输文件。这样一来,本申请通过文件Hash以及随机数对文件进行加密,生成了一种新的会话密钥,无需额外使用HMAC或MAC方式进行完整性保护。同时,本申请中同一文件只需在跨域全网上传一次,客户端无需重复下载文件,进而降低了成本,提高了传输效率。对于群组通信密钥保护机制处理复杂度更低,对于大群组而言,优势更加显著,服务器上文件利用率高。When encrypting and transmitting cross-domain files, the present application first determines whether there is a created user group in the central server after the domain server and the user have successfully registered respectively. If not, the user group is created and a group key is generated, and the group key is sent to the user terminal based on the user group; the user terminal includes a user sending end and a user receiving end; then the user sending end determines whether the file to be transmitted is transmitted for the first time based on the file Hash corresponding to the file to be transmitted, and encrypts and processes the file to be transmitted and the file key corresponding to the file to be transmitted according to the corresponding judgment result, the file Hash, the random number and the group key to obtain a target information packet; wherein the target information packet includes one or a combination of the file ID corresponding to the file to be transmitted, the file key derived parameter ciphertext and the attribute information of the file to be transmitted; finally, the target information packet is distributed to each of the user receiving ends through the domain server and the central server, so that the user receiving end decrypts the target information packet according to the group key to obtain the decrypted file ID, and obtains the file to be transmitted based on the decrypted file ID. In this way, this application encrypts the file through the file Hash and random number to generate a new session key, without the need to use HMAC or MAC for integrity protection. At the same time, in this application, the same file only needs to be uploaded once across the entire network, and the client does not need to download the file repeatedly, thereby reducing costs and improving transmission efficiency. The processing complexity of the group communication key protection mechanism is lower, and for large groups, the advantages are more significant, and the file utilization rate on the server is high.
在一些具体的实施例中,所述装置,还可以用于将所述域服务器注册至所述中心服务器,利用域服务器保护密钥对所述中心服务器产生的第一保护密钥进行加密,并将加密后的第一保护密钥发送至各所述域服务器;将所述用户注册至所述用户归属的域服务器,利用用户保护密钥对所述域服务器产生的第二保护密钥进行加密,并将加密后的第二保护密钥发送至各所述用户终端。In some specific embodiments, the device can also be used to register the domain server to the central server, encrypt the first protection key generated by the central server using the domain server protection key, and send the encrypted first protection key to each of the domain servers; register the user to the domain server to which the user belongs, encrypt the second protection key generated by the domain server using the user protection key, and send the encrypted second protection key to each of the user terminals.
在一些具体的实施例中,所述群组判断模块11,具体可以用于若不存在所述用户群组,则通过所述中心服务器创建所述用户群组并产生所述群组密钥;基于所述第一保护密钥将所述群组密钥进行加密保护后分发至所述域服务器,以便所述域服务器基于所述第一保护密钥以及所述第二保护密钥对所述群组密钥进行先解密后加密的操作,以得到加密后群组密钥,并基于所述用户群组将所述加密后群组密钥下发至所述用户终端。In some specific embodiments, the group judgment module 11 can be specifically used to create the user group and generate the group key through the central server if the user group does not exist; encrypt and protect the group key based on the first protection key and distribute it to the domain server, so that the domain server decrypts and then encrypts the group key based on the first protection key and the second protection key to obtain the encrypted group key, and sends the encrypted group key to the user terminal based on the user group.
在一些具体的实施例中,所述传输文件判断模块12,具体可以用于若所述待传输文件是首次传输,则通过密钥衍生算法将随机数以及文件Hash进行衍生,以生成所述待传输文件对应的文件密钥;通过所述用户发送端基于所述文件密钥对所述待传输文件进行加密,得到相应的文件密文;通过所述用户发送端将所述文件密文上传至所述域服务器,以便所述域服务器将所述文件密文转发至所述中心服务器,并通过所述中心服务器生成所述待传输文件对应的文件ID,将所述文件ID返回至所述用户发送端;利用所述群组密钥以及所述第二保护密钥分别对所述文件密钥进行加密,得到第一文件密钥衍生参数密文以及第二文件密钥衍生参数密文;通过所述用户发送端将所述文件密文、所述第一文件密钥衍生参数密文、所述第二文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息发送至所述域服务器进行存储,并通过所述域服务器基于所述第一保护密钥对所述第二文件密钥衍生参数密文进行转加密,以得到第三文件密钥衍生参数密文;通过所述域服务器将所述第一文件密钥衍生参数密文、所述第三文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息发送至所述中心服务器,以便所述中心服务器保存所述第三文件密钥衍生参数密文以及所述文件ID,并将所述第一文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息分发至各所述域服务器,以得到包含所述第一文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。In some specific embodiments, the transmission file judgment module 12 can be specifically used to derive a random number and a file hash through a key derivation algorithm to generate a file key corresponding to the file to be transmitted if the file to be transmitted is transmitted for the first time; encrypt the file to be transmitted based on the file key by the user sending end to obtain a corresponding file ciphertext; upload the file ciphertext to the domain server by the user sending end so that the domain server forwards the file ciphertext to the central server, and generate a file ID corresponding to the file to be transmitted by the central server, and return the file ID to the user sending end; use the group key and the second protection key to encrypt the file key respectively to obtain a first file key derived parameter ciphertext and a second file key derived parameter ciphertext; and use the file ciphertext and the first file key by the user sending end. The derived parameter ciphertext, the second file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted are sent to the domain server for storage, and the second file key derived parameter ciphertext is trans-encrypted by the domain server based on the first protection key to obtain the third file key derived parameter ciphertext; the first file key derived parameter ciphertext, the third file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted are sent to the central server through the domain server, so that the central server saves the third file key derived parameter ciphertext and the file ID, and distributes the first file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted to each of the domain servers to obtain a target information packet containing the first file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted.
在一些具体的实施例中,所述传输文件判断模块12,具体可以用于若所述待传输文件不是首次传输,且用户本地存在所述待传输文件对应的文件密钥,则直接从本地获取所述待传输文件对应的所述文件ID、初始文件密钥衍生参数密文以及所述待传输文件的属性信息;通过新的群组密钥对所述初始文件密钥衍生参数密文对应的文件密钥衍生参数进行转加密保护以确定新的文件密钥衍生参数密文,以得到包含新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息的目标信息包。In some specific embodiments, the transmission file judgment module 12 can be specifically used to directly obtain the file ID, initial file key derived parameter ciphertext and attribute information of the file to be transmitted corresponding to the file to be transmitted from the local computer if the file to be transmitted is not transmitted for the first time and the user has the file key corresponding to the file to be transmitted locally; and to perform encryption protection on the file key derived parameter corresponding to the initial file key derived parameter ciphertext using a new group key to determine a new file key derived parameter ciphertext, so as to obtain a target information packet containing the new file key derived parameter ciphertext, the file ID and the attribute information of the file to be transmitted.
在一些具体的实施例中,所述传输文件判断模块12,具体可以用于若所述待传输文件不是首次传输,且用户本地不存在所述待传输文件对应的文件密钥,所述域服务器存在所述文件密钥,则通过所述域服务器基于所述文件信息获取请求将通过所述第二保护密钥加密后的所述文件ID、文件密钥衍生参数密文以及所述待传输文件的属性信息发送至所述用户终端;若所述待传输文件不是首次传输,且用户本地不存在所述待传输文件对应的文件密钥,所述域服务器不存在所述文件密钥,则通过所述域服务器将所述文件信息获取请求转发至所述中心服务器,以便所述中心服务器基于所述第一保护密钥对所述文件ID、初始文件密钥衍生参数密文以及所述待传输文件的属性信息进行转加密保护,以生成第四文件密钥衍生参数密文,并将所述第一保护密钥对所述文件ID、所述初始文件密钥衍生参数密文、所述待传输文件的属性信息以及所述第四文件密钥衍生参数密文分发至所述域服务器;通过所述域服务器基于所述第二保护密钥对转加密保护后的第四文件密钥衍生参数密文发送至所述用户终端;通过所述用户终端在收到服务器的响应信息后基于所述数据保护密钥DPK对所述文件密钥衍生参数密文进行转加密保护,以得到本地密钥密文,将所述本地密钥密文、所述文件ID以及所述待传输文件的属性信息进行本地存储;通过所述用户终端在收到服务器的响应信息后基于所述群组密钥对所述文件密钥衍生参数密文进行转加密保护,以得到新的文件密钥衍生参数密文,基于新的文件密钥衍生参数密文、所述文件ID以及所述待传输文件的属性信息确定目标信息包。In some specific embodiments, the transmission file judgment module 12 can be specifically used to, if the file to be transmitted is not transmitted for the first time, and the user does not have the file key corresponding to the file to be transmitted locally, and the domain server has the file key, then the file ID, file key derived parameter ciphertext and attribute information of the file to be transmitted encrypted by the second protection key are sent to the user terminal through the domain server based on the file information acquisition request; if the file to be transmitted is not transmitted for the first time, and the user does not have the file key corresponding to the file to be transmitted locally, and the domain server does not have the file key, then the file information acquisition request is forwarded to the central server through the domain server, so that the central server can perform trans-encryption protection on the file ID, the initial file key derived parameter ciphertext and the attribute information of the file to be transmitted based on the first protection key to generate a fourth file key derived parameter ciphertext, and send the fourth file key derived parameter ciphertext to the central server. The first protection key is used to distribute the file ID, the initial file key derived parameter ciphertext, the attribute information of the file to be transmitted, and the fourth file key derived parameter ciphertext to the domain server; the fourth file key derived parameter ciphertext that has been trans-encrypted and protected based on the second protection key is sent to the user terminal by the domain server; after receiving the response information of the server, the user terminal trans-encrypts and protects the file key derived parameter ciphertext based on the data protection key DPK to obtain a local key ciphertext, and locally stores the local key ciphertext, the file ID, and the attribute information of the file to be transmitted; after receiving the response information of the server, the user terminal trans-encrypts and protects the file key derived parameter ciphertext based on the group key to obtain a new file key derived parameter ciphertext, and determines the target information package based on the new file key derived parameter ciphertext, the file ID, and the attribute information of the file to be transmitted.
在一些具体的实施例中,所述装置,还可以用于若存在所述用户群组,则直接将所述群组密钥下发至所述用户终端。In some specific embodiments, the device may also be used to directly send the group key to the user terminal if the user group exists.
在一些具体的实施例中,所述传输文件获取模块13,具体可以用于通过所述域服务器将所述目标文件信息转发至所述中心服务器,以便所述中心服务器将所述目标文件信息分发至各所述域服务器,并通过各所述域服务器将所述目标文件信息分发至各所述用户接收端。In some specific embodiments, the transmission file acquisition module 13 can be specifically used to forward the target file information to the central server through the domain server, so that the central server distributes the target file information to each of the domain servers, and distributes the target file information to each of the user receiving ends through each of the domain servers.
在一些具体的实施例中,所述传输文件获取模块13,具体可以用于通过所述域服务器以及所述中心服务器将所述目标信息包分发至各所述用户接收端,以便所述用户接收端根据所述群组密钥对所述目标信息包进行解密,以得到解密后文件ID;基于所述文件ID从所述域服务器或所述中心服务器中拉取所述待传输文件对应的文件密文,并根据所述解密后文件ID对所述文件密文进行解密,以得到所述待传输文件并确定所述待传输文件是否被篡改。In some specific embodiments, the transmission file acquisition module 13 can be specifically used to distribute the target information package to each of the user receiving terminals through the domain server and the central server, so that the user receiving terminal decrypts the target information package according to the group key to obtain a decrypted file ID; based on the file ID, the file ciphertext corresponding to the file to be transmitted is pulled from the domain server or the central server, and the file ciphertext is decrypted according to the decrypted file ID to obtain the file to be transmitted and determine whether the file to be transmitted has been tampered with.
进一步的,本申请实施例还公开了一种电子设备,图7是根据一示例性实施例示出的电子设备20结构图,图中的内容不能认为是对本申请的使用范围的任何限制。Furthermore, an embodiment of the present application also discloses an electronic device. FIG. 7 is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content in the diagram cannot be regarded as any limitation on the scope of use of the present application.
图7为本申请实施例提供的一种电子设备20的结构示意图。该电子设备 20,具体可以包括:至少一个处理器21、至少一个存储器22、电源23、通信接口24、输入输出接口25和通信总线26。其中,所述存储器22用于存储计算机程序,所述计算机程序由所述处理器21加载并执行,以实现前述任一实施例公开的支持跨域的文件加密传输方法中的相关步骤。另外,本实施例中的电子设备20具体可以为电子计算机。FIG7 is a schematic diagram of the structure of an electronic device 20 provided in an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input/output interface 25, and a communication bus 26. The memory 22 is used to store a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the method for supporting cross-domain file encryption transmission disclosed in any of the aforementioned embodiments. In addition, the electronic device 20 in this embodiment may specifically be an electronic computer.
本实施例中,电源23用于为电子设备20上的各硬件设备提供工作电压;通信接口24能够为电子设备20创建与外界设备之间的数据传输通道,其所遵 循的通信协议是能够适用于本申请技术方案的任意通信协议,在此不对其进 行具体限定;输入输出接口25,用于获取外界输入数据或向外界输出数据,其具体的接口类型可以根据具体应用需要进行选取,在此不进行具体限定。In this embodiment, the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and the external device, and the communication protocol it follows is any communication protocol that can be applied to the technical solution of the present application, and is not specifically limited here; the input and output interface 25 is used to obtain external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs and is not specifically limited here.
另外,存储器22作为资源存储的载体,可以是只读存储器、随机存储器、 磁盘或者光盘等,其上所存储的资源可以包括操作系统221、计算机程序222 等,存储方式可以是短暂存储或者永久存储。In addition, the memory 22 as a carrier for storing resources may be a read-only memory, a random access memory, a disk or an optical disk, etc. The resources stored thereon may include an operating system 221, a computer program 222, etc., and the storage method may be temporary storage or permanent storage.
其中,操作系统221用于管理与控制电子设备20上的各硬件设备以及计算 机程序222,其可以是Windows Server、Netware、Unix、Linux等。计算机程序222除了包括能够用于完成前述任一实施例公开的由电子设备20执行的支持跨域的文件加密传输方法的计算机程序之外,还可以进一步包括能够用于完成其他特定工作的计算机程序。The operating system 221 is used to manage and control the hardware devices on the electronic device 20 and the computer program 222, which can be Windows Server, Netware, Unix, Linux, etc. In addition to including a computer program that can be used to complete the method for supporting cross-domain file encryption transmission executed by the electronic device 20 disclosed in any of the aforementioned embodiments, the computer program 222 can further include a computer program that can be used to complete other specific tasks.
进一步的,本申请还公开了一种计算机可读存储介质,用于存储计算机程序;其中,所述计算机程序被处理器执行时实现前述公开的支持跨域的文件加密传输方法。关于该方法的具体步骤可以参考前述实施例中公开的相应内容,在此不再进行赘述。Furthermore, the present application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the aforementioned disclosed method for supporting cross-domain file encryption transmission is implemented. The specific steps of the method can refer to the corresponding contents disclosed in the aforementioned embodiments, and will not be repeated here.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。In this specification, each embodiment is described in a progressive manner, and each embodiment focuses on the differences from other embodiments. The same or similar parts between the embodiments can be referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the method part.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals may further appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two. In order to clearly illustrate the interchangeability of hardware and software, the composition and steps of each example have been generally described in the above description according to function. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professionals and technicians may use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the method or algorithm described in conjunction with the embodiments disclosed herein may be implemented directly using hardware, a software module executed by a processor, or a combination of the two. The software module may be placed in a random access memory (RAM), a memory, a read-only memory (ROM), an electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should be noted that, in this article, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "include", "comprise" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, the elements defined by the sentence "comprise a ..." do not exclude the presence of other identical elements in the process, method, article or device including the elements.
以上对本申请所提供的技术方案进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The technical solution provided by the present application is introduced in detail above. Specific examples are used in this article to illustrate the principles and implementation methods of the present application. The description of the above embodiments is only used to help understand the method of the present application and its core idea. At the same time, for general technical personnel in this field, according to the idea of the present application, there will be changes in the specific implementation method and application scope. In summary, the content of this specification should not be understood as a limitation on the present application.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410766226.6ACN118646572A (en) | 2024-06-14 | 2024-06-14 | A method, device, equipment and medium supporting cross-domain file encryption transmission |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410766226.6ACN118646572A (en) | 2024-06-14 | 2024-06-14 | A method, device, equipment and medium supporting cross-domain file encryption transmission |
| Publication Number | Publication Date |
|---|---|
| CN118646572Atrue CN118646572A (en) | 2024-09-13 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410766226.6APendingCN118646572A (en) | 2024-06-14 | 2024-06-14 | A method, device, equipment and medium supporting cross-domain file encryption transmission |
| Country | Link |
|---|---|
| CN (1) | CN118646572A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080162934A1 (en)* | 2006-09-20 | 2008-07-03 | Katsuyoshi Okawa | Secure transmission system |
| US20200267189A1 (en)* | 2017-11-07 | 2020-08-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Lawful interception security |
| CN112995322A (en)* | 2021-03-04 | 2021-06-18 | Oppo广东移动通信有限公司 | Information transmission channel establishing method, device, storage medium and terminal |
| CN113127223A (en)* | 2019-12-31 | 2021-07-16 | 武汉斗鱼鱼乐网络科技有限公司 | Method and device for encrypted data transmission between Windows client program modules |
| CN116866333A (en)* | 2023-06-29 | 2023-10-10 | 深圳市领存技术有限公司 | Method and device for transmitting encrypted file, electronic equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080162934A1 (en)* | 2006-09-20 | 2008-07-03 | Katsuyoshi Okawa | Secure transmission system |
| US20200267189A1 (en)* | 2017-11-07 | 2020-08-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Lawful interception security |
| CN113127223A (en)* | 2019-12-31 | 2021-07-16 | 武汉斗鱼鱼乐网络科技有限公司 | Method and device for encrypted data transmission between Windows client program modules |
| CN112995322A (en)* | 2021-03-04 | 2021-06-18 | Oppo广东移动通信有限公司 | Information transmission channel establishing method, device, storage medium and terminal |
| CN116866333A (en)* | 2023-06-29 | 2023-10-10 | 深圳市领存技术有限公司 | Method and device for transmitting encrypted file, electronic equipment and storage medium |
| Title |
|---|
| 王非玉: "基于区块链和伪随机数技术的密钥生成与验证方案", 《中国优秀硕士学位论文全文数据库 信息科技辑 》, 31 January 2021 (2021-01-31)* |
| Publication | Publication Date | Title |
|---|---|---|
| US10804980B1 (en) | Secure end-to-end transport through intermediary nodes | |
| US5812671A (en) | Cryptographic communication system | |
| US7693285B2 (en) | Secure communication apparatus and method | |
| CA2527718C (en) | System, method and computer product for sending encrypted messages to recipients where the sender does not possess the credentials of the recipient | |
| US6260142B1 (en) | Access and storage of secure group communication cryptographic keys | |
| JP5204090B2 (en) | Communication network, e-mail registration server, network device, method, and computer program | |
| CN106453612B (en) | A kind of storage of data and shared system | |
| US6292895B1 (en) | Public key cryptosystem with roaming user capability | |
| EP3614292A1 (en) | File transfer system comprising an upload, storage and download device | |
| CN104145444A (en) | Method of operating a computing device, computing device and computer program | |
| CN115632779B (en) | A quantum encryption communication method and system based on distribution network | |
| CN102088352B (en) | Data encryption transmission method and system for message-oriented middleware | |
| CN114760047B (en) | A quantum key management method, device and system | |
| CN115567207A (en) | Method and system for realizing multicast data encryption and decryption by quantum key distribution | |
| CN114513327A (en) | Block chain-based Internet of things privacy data rapid sharing method | |
| JP2001237872A (en) | Mail system | |
| US20030007645A1 (en) | Method and system for allowing a sender to send an encrypted message to a recipient from any data terminal | |
| CN109951378B (en) | A file encryption transmission and sharing method in instant messaging | |
| CN110830240B (en) | Communication method and device of terminal and server | |
| WO2025082030A1 (en) | Data transmission method, apparatus, storage medium and device | |
| CN115022027B (en) | A data processing method, device, system, equipment and readable storage medium | |
| CN118646572A (en) | A method, device, equipment and medium supporting cross-domain file encryption transmission | |
| CN116418766A (en) | Message broker method, device and storage medium applicable to industrial numerical control scenarios | |
| CN111130796B (en) | Secure online cloud storage method in instant messaging | |
| CN115834113A (en) | OT communication method, OT communication device, electronic device, and storage medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |